diff options
| author | João Valverde <j@v6e.pt> | 2022-06-24 00:07:42 +0100 |
|---|---|---|
| committer | João Valverde <j@v6e.pt> | 2022-06-25 14:57:40 +0100 |
| commit | aaff0d21aef1f4702b87c068900a8af48d9884b6 (patch) | |
| tree | a9411eabe79b90470ba3b537f739c0196ea4108f /docbook | |
| parent | e9e6431d7b68e5ceacc41f3b3e1c8d290e55666b (diff) | |
dfilter: Add layer support for references
This adds support for using the layers filter
with field references.
Before:
$ dftest 'ip.src != ${ip.src#2}'
dftest: invalid character in macro name
After:
$ dftest 'ip.src != ${ip.src#2}'
Filter: ip.src != ${ip.src#2}
Syntax tree:
0 TEST_ALL_NE:
1 FIELD(ip.src <FT_IPv4>)
1 REFERENCE(ip.src#[2:1] <FT_IPv4>)
Instructions:
00000 READ_TREE ip.src <FT_IPv4> -> reg#0
00001 IF_FALSE_GOTO 5
00002 READ_REFERENCE_R ${ip.src <FT_IPv4>} #[2:1] -> reg#1
00003 IF_FALSE_GOTO 5
00004 ALL_NE reg#0 != reg#1
00005 RETURN
This requires adding another level of complexity to references.
When loading references we need to copy the 'proto_layer_num'
and add the logic to filter on that.
The "layer" sttype is removed and replace by a new
field sttype with support for a range. This is a nice
cleanup for the semantic check and general simplification.
The grammar is better too with this design.
Range sttype is renamed to slice for clarity.
Diffstat (limited to 'docbook')
| -rw-r--r-- | docbook/release-notes.adoc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/docbook/release-notes.adoc b/docbook/release-notes.adoc index 9e0cfcd33a..a021af3c26 100644 --- a/docbook/release-notes.adoc +++ b/docbook/release-notes.adoc @@ -96,7 +96,8 @@ They previously shipped with Qt 5.12.2. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported. ** Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. - The new implementation is more efficient and allows matching multiple values, like any other protocol field. + The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values + using quantifiers and support for layer filtering. ** Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis). ** New display filter functions max(), min() and abs() have been added. |